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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 

1 . (Currently Amended) A method comprising: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having a corresponding one of the embedded agents, each 
embedded agent to store the symmetric cryptographic key in a secure storage of the client 
having the embedded agent, the secure storage accessible to the embedded agent and not 
directly accessible to a host processor on the client having the embedded agent; and 

providing access to an encrypted traffic flow in a network to one of the a first client 
of the multiple clients if the one of the clients first client is authenticated,, with the key, the 
providing including 

wherein the embedded agent of the first client performs an integrity check of a 
platform of the first client, the integrity check generating integrity information stored in the 
secure storage of the first client, 

wherein the one of the clients detecting first client detects a message requesting a 
secure network connection for the encrypted traffic flow, 

wherein, in response to detecting the message, the embedded agent of the one of the 
clients verifying first client verifies , prior to any allowing of the requested secure network 
connection, that [[ a ]] the platform of the one of the clients first client is not in a 
compromised state at a time before providing access to the encrypted traffic flo w, the 
verifying by accessing the integrity information of the secure storage , and 

wherein, in response to the verifying, the embedded agent of the one of the clients 
providing first client provides the cryptographic key and an assertion that the one of the 
clients is not compromised to a verification entity on the network for cryptographic 
processing of data for the traffic flow . 
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2. (Currently Amended) A method according to claim 1 , wherein provisioning the key 
through the embedded agents further comprises provisioning the key through an embedded 
agent having network access via a network link not visible to a host operating system (OS) 
running on the one of the clients first client . 

3. (Currently Amended) A method according to claim 2, wherein providing access to 
the traffic flow if the one of the clients first client is authenticated comprises the embedded 
agent authenticating the one of the clients first client over the network line not visible to the 
host OS. 

4. (Original) A method according to claim 1 , wherein providing access to the traffic 
flow further comprises providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

5. (Previously Presented) A method according to claim 1 , further comprising 
updating at a client the symmetric cryptographic key provisioned across the multiple clients 
through a public and private key exchange with a public and private key associated with the 
client. 

6. (Canceled). 

7. (Currently Amended) A method according to claim 1 , further comprising the 
embedded agent indicating to a remote network device if the one of the clients first client is 
compromised. 
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8. (Currently Amended) A method according to claim 1 , further comprising the 
embedded agent foreclosing network access to the one of the clients first client if the one of 
the clients first client is compromised. 

9. (Original) A method according to claim 1, further comprising the embedded 
agent performing cryptographic functions on data with the key to authenticate data with the 
key. 

10. (Original) A method according to claim 1 , further comprising the embedded 
agent including a derivative of the key in a header of data to be transmitted to authenticate 
the data with the key. 

1 1 . (Currently Amended) An apparatus comprising: 

a host platform on the apparatus including a host processor; 

a secure memory not visible to applications and an operating system (OS) running on 
the host platform processor ; and 

an embedded computational device communicatively coupled with the host platform, 
the embedded device to have a network link transparent to the host processor and the OS, the 
embedded device to manage a cryptographic key shared among the apparatus and network 
endpoints to be used to communicate with a server over the network, to receive the 
cryptographic key on the transparent link and authenticate the apparatus, and to store the 
cryptographic key in the secure memory, the embedded computational device further to 
perform an integrity check of the host platform, the integrity check generating integrity 
information stored in the secure memory, and to detect a request for a secure network 
connection providing access to an encrypted traffic flow in the network, the embedded 
computational device further to verify, in response to detecting the request for the secure 
network connection and prior to any allowing of the requested secure network connection, 
that the host platform is not in a compromised state at a time before providing access to the 
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encrypted traffic flo w, the verifying by accessing the integrity information of the secure 
memory , and in response to the verifying, the embedded computational device further to 
provide the cryptographic key and an assertion that the apparatus is not compromised to a 
verification entity on the network for cryptographic processing of data for the traffic flow . 

12. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
have transparent network link comprises the embedded device to have a network connection 
not accessible by the host platform, the link to comply with the transport layer security (TLS) 
protocol. 

13. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
have a transparent network link comprises the embedded device to have a network 
connection not accessible by the host platform, the link to comply with the secure sockets 
layer (SSL) protocol. 

14. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to verify the identity of the 
apparatus to a network switching device with the key, the key to also be used by the network 
endpoints to verify their respective identities to the network switching device, and the 
network switching device to decrypt encrypted traffic from the apparatus and the network 
endpoints. 

15. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to hash traffic to be transmitted 
with the key. 
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16. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to perform cryptographic services 
with the key on traffic to be transmitted. 

17. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to include a derivative of the key 
in a header of traffic to be transmitted. 

18. (Original) An apparatus according to claim 11, further comprising a second 
embedded computational device, the second embedded device integrated on the host 
platform, to verify the security of the host platform. 

19. (Previously Presented) An apparatus according to claim 18, wherein the first 
embedded device to not authenticate the apparatus if the second embedded device determines 
the host platform is not secure. 

20. (Original) An apparatus according to claim 1 8, further comprising a bi- 
directional private bus between the first and second embedded devices. 

21 . (Original) An apparatus according to claim 11, further comprising a counter 
mode hardware cryptographical module on the host platform to encipher traffic with the 
cryptographic key and further provide a counter mode enciphering of the enciphered traffic. 

22. (Currently Amended) A system comprising: 
a host platform including a host processor; 

a digital signal processor (DSP) coupled with the host platform; and 
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an embedded chipset including a secure key storage module to perform cryptographic 
key management of a shared cryptographic key with the secure key storage module and a 
private communication channel accessible to the chipset and not the host platform, and to 
access an image of the host platform for performing an integrity check of the host platform, 
the integrity check generating integrity information stored on a flash accessible to the DSP 
and not secure memory inaccessible to the host processor to determine the integrity of the 
host platform , the shared cryptographic key to be used by the host platform to encipher data 
and other networked devices within a virtual private network, wherein the embedded chipset 
to detect a request for a secure network connection providing access to an encrypted traffic 
flow in the virtual private network, the embedded chipset further to verify, in response to 
detecting the request for the secure network connection and prior to any allowing of the 
requested secure network connection, that the host platform is not in a compromised state at a 
time before providing access to the encrypted traffic flow , the verifying by accessing the 
integrity information of the secure memory , and in response to the verifying, the embedded 
chipset further to provide the cryptographic key and an assertion that the - apparatus is not 
compromised to a verification entity on the virtual private network for cryptographic 
processing of data for the traffic flow . 

23. (Original) A system according to claim 22, wherein the embedded chipset to 
perform cryptographic key distribution with the private communication channel comprises 
the embedded chipset to perform cryptographic key distribution with a communication 
channel complying with the transport layer security (TLS) protocol. 

24. (Previously Presented) A system according to claim 22, wherein the embedded 
chipset comprises an embedded controller agent and an embedded firmware agent, the 
firmware agent to perform the verification that the host platform is not in the compromised 
state, and the controller agent to operate the private communication channel and manage 
access by the host platform to secure network connections. 
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25. (Previously Presented) A system according to claim 24, further comprising a 
bi-directional private communication path between the embedded controller agent and the 
embedded firmware agent to allow the agents to interoperate outside a context of the host 
platform. 

26. (Original) A system according to claim 22, further comprising the embedded 
chipset to hash traffic to be transmitted with the key to authenticate the system to one of the 
other networked devices. 

27. (Original) A system according to claim 22, further comprising the embedded 
chipset to perform cryptographic services with the key on traffic to be transmitted to 
authenticate the system to one of the other networked devices. 

28. (Original) A system according to claim 22, further comprising the embedded 
chipset to include a derivative of the key in a header of traffic to be transmitted to 
authenticate the system to one of the other networked devices. 

29. (Currently Amended) An article of manufacture comprising a tangible machine 
accessible medium having content stored thereon to provide instructions to cause a machine 
to perform operations including: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having a corresponding one of the embedded agents, each 
embedded agent to store the symmetric cryptographic key in a secure storage of the client 
having the embedded agent, the secure storage accessible to the embedded agent and not 
directly accessible to a host processor on the client having the embedded agent ; and 

providing access to an encrypted traffic flow in a network to one of the a first client 
of the multiple clients if the one of the clients first client is authenticated.! with the key, the 
providing including 
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wherein the embedded agent of the first client performs an integrity check of a 
platform of the first client, the integrity check generating integrity information stored in the 
secure storage of the first client, 

wherein the one of the clients detecting first client detects a message requesting a 
secure network connection for the encrypted traffic flow, 

wherein, in response to detecting the message, the embedded agent of the one of the 
clients verifying first client verifies , prior to any allowing of the requested secure network 
connection, that [[ a ]] the platform of the one of the clients first client is not in a 
compromised state at a time before providing access to the encrypted traffic flo w, the 
verifying by accessing the integrity information of the secure storage , and 

wherein, in response to the verifying, the embedded agent of the one of the clients 
providing first client provides the cryptographic key and an assertion that the one of the 
cli e nts is not compromised to a verification entity on th e n e twork for cryptographic 
processing of data for the traffic flow . 

30. (Currently Amended) An article of manufacture according to claim 29, wherein the 
content to provide instruction to cause the machine to perform operations including 
provisioning the key through the embedded agents further comprises the content to provide 
instruction to cause the machine to perform operations including provisioning the key 
through an embedded agent having network access via a network link not visible to a host 
operating system (OS) running on the one of the clients first client . 

3 1 . (Currently Amended) An article of manufacture according to claim 30, wherein the 
content to provide instruction to cause the machine to perform operations including providing 
access to the traffic flow if the one of the clients first client is authenticated comprises the 
content to provide instruction to cause the machine to perform operations including 
authenticating the one of the clients first client with the embedded agent over the network 
line not visible to the host OS. 
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32. (Original) An article of manufacture according to claim 29, wherein the content 
to provide instruction to cause the machine to perform operations including providing access 
to the traffic flow further comprises the content to provide instruction to cause the machine to 
perform operations including providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

33. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
updating at a client the symmetric cryptographic key provisioned across the multiple clients 
through a public and private key exchange with a public and private key associated the client. 

34. (Canceled). 

35. (Currently Amended) An article of manufacture according to claim 29, further 
comprising the content to provide instruction to cause the machine to perform operations 
including indicating with the embedded agent to a remote network device if the one of the 
clients first client is compromised. 

36. (Currently Amended) An article of manufacture according to claim 29, further 
comprising the content to provide instruction to cause the machine to perform operations 
including foreclosing with the embedded agent network access to the one of the clients first 
client if the one of the clients first client is compromised. 
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37. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
performing cryptographic functions on data with the key to authenticate data with the key. 

38. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
placing a derivative of the key in a header of data to be transmitted to authenticate the data 
with the key. 
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